By now, everybody knows that vulnerabilities that aren't remediated properly could pose a serious threat to the enterprises environment. The data breach experienced by Equifax last year exemplifies the impacts that can occur to a business that fails to remediate. However, we cannot ignore the other side of the coin – when remediation steps ARE applied they can cause significant damage and downtime in their own right.
Remediation Impact and How to Mitigate the Risks
To minimize the impact of remediation activities, organizations should analyze three areas to create a successful vulnerability management program: platform downtime, risk prioritization, and patching efficiency.
Website downtime for maintenance is, more often than not, performing updates and security patches. Hence, deciding when to patch and update is a significant consideration. Many organizations choose to patch after business hours, usually late at night. Some may choose Friday evenings so that if an issue arises, they have the weekend to recover before the business week begins on Monday.IT servers and infrastructure are more complex than ever, which invariably adds to the complexity to patch without incidents. Even with high availability environments that can limit perceived downtimes, the impact can be tested in a test environment and patching planned to take place during a day and time that would be least disruptive if a patch were to cause an issue. Depending on the organization and the criticality of the asset, unplanned downtime could have a significant financial impact as well as affecting the organization's reputation. As businesses increasingly rely on complex and integrated applications, deciding when to patch is a significant consideration.
Last year, almost one-third of CVE’s had a CVSS score of critical or high, which works out to be about 58 critical or high vulnerabilities each week. Those numbers necessitate that IT teams open up the ways that they contextualize an assessment of an organization’s risk, prioritizing the metrics that improve their vulnerability remediation program – enabling teams to scale up their remediation processes.Prioritization should take into account several specific factors:
- Identify vulnerabilities based on criticality and exploitability. Many vulnerabilities don’t have any known exploits, while others may have known exploits that are difficult to carry out. In these cases, patching won't improve an organization's security posture and creates an unnecessary risk of downtime.
- Identify critical assets. Ideally, you'll want to develop a current inventory of all platforms to include types of OS, IP addresses, locations, and function. Each platform should be defined with criteria to determine its value as critical, medium, or low. Assets deemed critical to the organization should be considered a priority to remediate, in the case of critical and exploitable vulnerabilities. The decision to remediate assets that are considered to have medium or low importance may not have the same urgency.
- Determine the potential business risk of patching vs. not patching. As Operations, R&D and testing resources are low, it’s important to find the balance between mitigating risks and the effort needed to invest in terms of time and money. An effective and efficient vulnerability management program requires technical resources and staff to communicate across teams to properly prioritize remediation in a timely manner.This communication is critical to maintain the high velocity required by today's remediation processes.
Not all patches are created equal. Some patches will resolve only one vulnerability while other patches will mitigate multiple vulnerabilities or multiple assets. A roll-up patch, for example, is multiple patches rolled into a single update. Priority should be given to roll-up patches as they are a more efficient than remediating single vulnerabilities. This also ties into the issue of speed and timing of the patching process. As highlighted in a report by Ponemon, 57% of breach victims say they were breached due to an unpatched vulnerability. Moreover, the report also shows that organizations with a manual patch management processes take longer to patch vulnerabilities, and on average lose 12 days per month coordinating the process across teams. Integrating automation into the process will improve the speed and timeliness of the patch management process.
The Price Tag of Remediation
While speed is an integral part of the remediation process, as with any cybersecurity endeavor, vulnerability management ultimately comes down to simple prioritization of the severity and risks of the vulnerabilities. Security teams must take a step back and build a vulnerability management strategy that will lead to desirable results. This is key in order to remediate vulnerabilities at a rapid pace without damaging high value business interests, all while improving the enterprise’s overall security posture.